Primary

Context

SPIP Blind Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A blind server-side request forgery (SSRF) vulnerability has been identified in SPIP versions prior to 4.4.9. This vulnerability exists in the private area when editing syndicated sites. The application fails to validate whether the syndication URL is a legitimate remote URL, allowing authenticated attackers to make the server send requests to arbitrary internal or external destinations. Notably, this issue is not addressed by SPIP's security screen.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where the server is tricked into making requests on behalf of the attacker to internal or external resources.

Remediation

Users can update to SPIP version 4.4.9, which addresses this vulnerability. The update can be performed using the SPIP loader or by downloading the latest version from the SPIP website.

Added: Feb 19, 2026, 7:37 PM

Updated: Feb 19, 2026, 7:37 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.4

exploitability

5.5

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.4

exploitability

5.5

remediation

7.7

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SPIP Blind Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

SPIP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating